Hackers and Vampires Agree: Every Byte Counts
Headlining the release today is a new exploit module by jheysel-r7 that chains two vulnerabilities to target Magento/Adobe Commerce systems: the first, CVE-2024-34102 is an arbitrary file read used to determine the version and layout of the glibc library, and the second,
Hackers and Vampires Agree: Every Byte Counts
Headlining the release today is a new exploit module by jheysel-r7 that chains two vulnerabilities to target Magento/Adobe Commerce systems: the first, CVE-2024-34102 is an arbitrary file read used to determine the version and layout of the glibc library, and the second, CVE-2024-2961 is a single-byte buffer overflow, and it is impressive what can be done with a single byte. By creating an intricate heap layout though specific memory allocation calls in php, an attacker can groom the heap contents in such a way that they can use the single-byte overflow to change a flag in the custom_heap
structure, which then results in a system
call containing arbitrary data.
New module content (1)
CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)
Authors: Charles Fol, Heyder, Sergey Temnikov, and jheysel-r7
Type: Exploit
Pull request: #19544 contributed by jheysel-r7
Path: linux/http/magento_xxe_to_glibc_buf_overflow
AttackerKB reference: CVE-2024-34102
Description: Adds a new module exploit/linux/http/magento_xxe_to_glibc_buf_overflow
which uses a combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961) to gain unauthenticated Remote Code Execution on multiple versions of Magento and Adobe Commerce, including versions less than 2.4.6-p5.
Enhancements and features (2)
- #19536 from GhostlyBox - Updated the
post/windows/gather/enum_unattend.rb
module to now include checks for '.vmimport' files which may have been created by the AWS EC2 VMIE service which will contain cleartext credentials. - #19567 from bcoles - Adds default vendor passwords for common single-board computers (SBCs) to wordlists.
Bugs fixed (4)
- #19571 from sjanusz-r7 - Fixes an issue that stopped users from using navigational arrow keys in msfconsole on newer Windows 11 installs.
- #19572 from cdelafuente-r7 - Fixes an issue in the
UPDATE
action ofadmin/ldap/ad_cs_cert_template
. - #19576 from adfoster-r7 - Fixes crash when importing a Metasploit xml file with Ruby 3.2 and above.
- #19577 from adfoster-r7 - Fixes a crash when running the
shell
command with a Meterpreter session.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/10/25/metasploit-weekly-wrap-up-10-25-2024/